George King Posted May 2, 2022 Posted May 2, 2022 (edited) @Dietmar It's only netio.sys https://anonfiles.com/Peec49cey9/netio_sys And here is also msrpc 5048 to give it a try without deleted import in netio https://anonfiles.com/35p248c9y6/msrpc_5048_sys Edited May 2, 2022 by George King
Dietmar Posted May 2, 2022 Posted May 2, 2022 @George King With the 5048 msrpc.sys and the "original" netio.sys I get other Bsod Dietmar Microsoft (R) Windows Debugger Version 6.3.9600.17200 X86 Copyright (c) Microsoft Corporation. All rights reserved. Using NET for debugging Opened WinSock 2.0 Waiting to reconnect... Connected to target 192.168.2.102 on port 50000 on local IP 192.168.2.101. Connected to Windows XP 2600 x86 compatible target at (Tue May 3 00:04:50.531 2022 (UTC + 2:00)), ptr64 FALSE Kernel Debugger connection established. ************* Symbol Path validation summary ************** Response Time (ms) Location OK C:\Symbols ************* Symbol Path validation summary ************** Response Time (ms) Location OK C:\symbolssss Symbol search path is: C:\symbolssss Executable search path is: C:\Symbols Windows XP Kernel Version 2600 MP (1 procs) Checked x86 compatible Built by: 2600.xpsp.080413-2133 Machine Name: Kernel base = 0x80a02000 PsLoadedModuleList = 0x80b019e8 System Uptime: not available ************* Symbol Path validation summary ************** Response Time (ms) Location OK E:\binaries.x86fre\Symbols ************* Symbol Path validation summary ************** Response Time (ms) Location OK C:\Symbols ************* Symbol Path validation summary ************** Response Time (ms) Location OK C:\symbolssss OK C:\symbols OK C:\symbolss OK C:\symbolsss OK E:\binaries.x86fre\Symbols Deferred https://msdl.microsoft.com/download/symbols Deferred srv* Break instruction exception - code 80000003 (first chance) nt!DbgBreakPoint: 80ac37e0 cc int 3 kd> g MM: Loader/HAL memory block indicates large pages cannot be used for 80100000->8012777F MTRR feature disabled. KiInitializeMTRR: OS support for MTRRs disabled KiInitializeMTRR: OS support for MTRRs disabled KiInitializeMTRR: OS support for MTRRs disabled KiInitializeMTRR: OS support for MTRRs disabled KiInitializeMTRR: OS support for MTRRs disabled KiInitializeMTRR: OS support for MTRRs disabled KiInitializeMTRR: OS support for MTRRs disabled KiInitializeMTRR: OS support for MTRRs disabled KiInitializeMTRR: OS support for MTRRs disabled KiInitializeMTRR: OS support for MTRRs disabled KiInitializeMTRR: OS support for MTRRs disabled KiInitializeMTRR: OS support for MTRRs disabled PS: Unhandled Kernel Mode Exception Pointers = 0xB84C6F94 Code c0000005 Addr B79B0DFB Info0 00000000 Info1 0000001C Info2 0000001C Info3 80AD6560 *** Fatal System Error: 0x0000007e (0xC0000005,0xB79B0DFB,0xB84C7448,0xB84C7144) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue May 3 00:04:55.859 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ................................................... Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7E, {c0000005, b79b0dfb, b84c7448, b84c7144} *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrnx.exe - *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrn8.sys - *** ERROR: Symbol file could not be found. Defaulted to export symbols for NETIO.SYS - Probably caused by : ntoskrnx.exe ( ntoskrnx!ExAllocatePoolWithTag+389 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 80ac37ec cc int 3 11: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: b79b0dfb, The address that the exception occurred at Arg3: b84c7448, Exception Record Address Arg4: b84c7144, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. FAULTING_IP: ntoskrnx!ExAllocatePoolWithTag+389 b79b0dfb 8b761c mov esi,dword ptr [esi+1Ch] EXCEPTION_RECORD: b84c7448 -- (.exr 0xffffffffb84c7448) ExceptionAddress: b79b0dfb (ntoskrnx!ExAllocatePoolWithTag+0x00000389) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 0000001c Attempt to read from address 0000001c CONTEXT: b84c7144 -- (.cxr 0xffffffffb84c7144;r) eax=00000001 ebx=00000000 ecx=00000002 edx=00000002 esi=00000000 edi=80af8280 eip=b79b0dfb esp=b84c7510 ebp=b84c7564 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 ntoskrnx!ExAllocatePoolWithTag+0x389: b79b0dfb 8b761c mov esi,dword ptr [esi+1Ch] ds:0023:0000001c=???????? Last set context: eax=00000001 ebx=00000000 ecx=00000002 edx=00000002 esi=00000000 edi=80af8280 eip=b79b0dfb esp=b84c7510 ebp=b84c7564 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 ntoskrnx!ExAllocatePoolWithTag+0x389: b79b0dfb 8b761c mov esi,dword ptr [esi+1Ch] ds:0023:0000001c=???????? Resetting default scope PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 0000001c READ_ADDRESS: 0000001c FOLLOWUP_IP: ntoskrnx!ExAllocatePoolWithTag+389 b79b0dfb 8b761c mov esi,dword ptr [esi+1Ch] BUGCHECK_STR: 0x7E DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from b7a60bce to b79b0dfb STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. b84c7564 b7a60bce 00000001 ffdff120 67727453 ntoskrnx!ExAllocatePoolWithTag+0x389 b84c7590 b7a08389 b84c75c0 b84c75f8 00000001 ntoskrnx!ExfReleasePushLock+0x352 b84c75d0 b792b599 b84c75f8 b84c7608 00000000 ntoskrnx!MmGetSystemRoutineAddress+0x49 b84c75e4 b766443d b84c75f8 8b30e1d6 00000000 ntoskrn8!MmGetSystemRoutineAddress+0x19 b84c7604 b766a01c 8b30e1d6 80b97c38 b84c7624 NETIO!RtlInvokeStartRoutines+0x73 b84c7634 80d37c99 b766a005 80084000 80084000 NETIO!DllInitialize+0x17 b84c7684 80d341f1 80084000 b84c76a0 00034000 nt!IopInitializeBootDrivers+0xe1 b84c7830 80d31940 80084000 00000000 8b343670 nt!IoInitSystem+0x82d b84c7dac 80bd81ac 80084000 00000000 00000000 nt!Phase1Initialization+0xb12 b84c7ddc 80ae4212 80d30e2e 80084000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrnx!ExAllocatePoolWithTag+389 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntoskrnx IMAGE_NAME: ntoskrnx.exe DEBUG_FLR_IMAGE_TIMESTAMP: 6134229e IMAGE_VERSION: 5.1.2600.16384 STACK_COMMAND: .cxr 0xffffffffb84c7144 ; kb FAILURE_BUCKET_ID: 0x7E_ntoskrnx!ExAllocatePoolWithTag+389 BUCKET_ID: 0x7E_ntoskrnx!ExAllocatePoolWithTag+389 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7e_ntoskrnx!exallocatepoolwithtag+389 FAILURE_ID_HASH: {a448a1a7-43f8-ac55-b1fd-a5ed200a631a} Followup: MachineOwner --------- 11: kd> lm start end module name 80100000 80127780 HAL3 (deferred) 80128000 80150000 kdcom (deferred) 80150000 8017a000 KDSTUB (deferred) 802d9000 802e9a80 pci (deferred) 80a02000 80da3000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\5B9E8A586D3D49D98927B5D5117577231\ntkrpamp.pdb b7616000 b762fe80 Mup (deferred) b7630000 b766f000 NETIO (export symbols) NETIO.SYS b766f000 b7699000 msrpc (deferred) b7699000 b7751000 NDIS (deferred) b7751000 b77ddd00 Ntfs (deferred) b77de000 b783b000 UsbHub3 (deferred) b783b000 b7880000 USBXHCI (deferred) b7880000 b7896b80 KSecDD (deferred) b7897000 b78a8f00 sr (deferred) b78a9000 b78c8b00 fltMgr (deferred) b78c9000 b78e0880 SCSIPORT (deferred) b78e1000 b792a000 storport (deferred) b792a000 b794db80 ntoskrn8 (export symbols) ntoskrn8.sys b794e000 b7b25e80 ntoskrnx (export symbols) ntoskrnx.exe b7b26000 b7b39000 storahci (deferred) b7b39000 b7b50900 atapi (deferred) b7b51000 b7e06000 iaStor (deferred) b7e06000 b7e2ba00 dmio (deferred) b7e2c000 b7e4ad80 ftdisk (deferred) b7e4b000 b7e7a000 ucx01000 (deferred) b7e7a000 b7ea9d80 ACPI (deferred) b7eaa000 b7f2c000 WDF01_W8 (deferred) b7f2c000 b7f4b000 asmthub3 (deferred) b7f4b000 b7fa7000 asmtxhci (deferred) b80a8000 b80b6000 WDFLDR8 (deferred) b80b8000 b80c1300 isapnp (deferred) b80c8000 b80d2000 WppRecorder (deferred) b80d8000 b80e2580 MountMgr (deferred) b80e8000 b80f5200 VolSnap (deferred) b80f8000 b8106000 stornvme (deferred) b8108000 b8118000 asahci32 (deferred) b8118000 b8120e00 disk (deferred) b8128000 b8134180 CLASSPNP (deferred) b8138000 b8141000 USBD_W8 (deferred) b8148000 b8157100 ohci1394 (deferred) b8158000 b8165080 1394BUS (deferred) b8328000 b832e780 USBSTOR (deferred) b8330000 b8336180 PCIIDEX (deferred) b8338000 b833cd00 PartMgr (deferred) b8340000 b8344c00 storpor8 (deferred) b84b8000 b84bb000 BOOTVID (deferred) b84bc000 b84bef80 ACPIEC (deferred) b85a8000 b85a9100 WMILIB (deferred) b85aa000 b85ab500 USBD (deferred) b85ac000 b85ad700 dmload (deferred) b8670000 b8670d00 pciide (deferred) b8671000 b8671d80 OPRGHDLR (deferred)
George King Posted May 2, 2022 Posted May 2, 2022 @Dietmar Try to replace ntoskrnx.exe with this one https://anonfiles.com/R4974dc4y8/ntoskrnx_exe
Dietmar Posted May 2, 2022 Posted May 2, 2022 @George King Now I get a very similar Bsod Dietmar Break instruction exception - code 80000003 (first chance) nt!DbgBreakPoint: 8052b718 cc int 3 kd> g *** Fatal System Error: 0x0000007e (0xC0000005,0xB79B0DFB,0xB84C7454,0xB84C7150) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue May 3 00:24:59.796 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ................................................... Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7E, {c0000005, b79b0dfb, b84c7454, b84c7150} *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrnx.exe - *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrn8.sys - *** ERROR: Symbol file could not be found. Defaulted to export symbols for NETIO.SYS - Probably caused by : ntoskrnx.exe ( ntoskrnx!ExAllocatePoolWithTag+389 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 11: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: b79b0dfb, The address that the exception occurred at Arg3: b84c7454, Exception Record Address Arg4: b84c7150, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. FAULTING_IP: ntoskrnx!ExAllocatePoolWithTag+389 b79b0dfb 8b761c mov esi,dword ptr [esi+1Ch] EXCEPTION_RECORD: b84c7454 -- (.exr 0xffffffffb84c7454) ExceptionAddress: b79b0dfb (ntoskrnx!ExAllocatePoolWithTag+0x00000389) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 0000001c Attempt to read from address 0000001c CONTEXT: b84c7150 -- (.cxr 0xffffffffb84c7150;r) eax=00000001 ebx=00000000 ecx=00000002 edx=00000002 esi=00000000 edi=80557180 eip=b79b0dfb esp=b84c751c ebp=b84c7570 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 ntoskrnx!ExAllocatePoolWithTag+0x389: b79b0dfb 8b761c mov esi,dword ptr [esi+1Ch] ds:0023:0000001c=???????? Last set context: eax=00000001 ebx=00000000 ecx=00000002 edx=00000002 esi=00000000 edi=80557180 eip=b79b0dfb esp=b84c751c ebp=b84c7570 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 ntoskrnx!ExAllocatePoolWithTag+0x389: b79b0dfb 8b761c mov esi,dword ptr [esi+1Ch] ds:0023:0000001c=???????? Resetting default scope ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 0000001c READ_ADDRESS: 0000001c FOLLOWUP_IP: ntoskrnx!ExAllocatePoolWithTag+389 b79b0dfb 8b761c mov esi,dword ptr [esi+1Ch] BUGCHECK_STR: 0x7E DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from b7a60bce to b79b0dfb STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. b84c7570 b7a60bce 00000001 ffdff120 67727453 ntoskrnx!ExAllocatePoolWithTag+0x389 b84c759c b7a08389 b84c75cc b84c7604 00000001 ntoskrnx!ExfReleasePushLock+0x352 b84c75dc b792b599 b84c7604 00000000 00000000 ntoskrnx!MmGetSystemRoutineAddress+0x49 b84c75f0 b766443d b84c7604 98969b06 00000000 ntoskrn8!MmGetSystemRoutineAddress+0x19 b84c7610 b766a01c 98969b06 805ad41e b84c7630 NETIO!RtlInvokeStartRoutines+0x73 b84c7640 8069de4c b766a005 80084000 80084000 NETIO!DllInitialize+0x17 b84c7690 8069af70 80084000 b84c76ac 00034000 nt!IopInitializeBootDrivers+0xd4 b84c7838 806993d3 80084000 00000000 989a89b0 nt!IoInitSystem+0x712 b84c7dac 805cffee 80084000 00000000 00000000 nt!Phase1Initialization+0xac7 b84c7ddc 8054623e 8069890c 80084000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrnx!ExAllocatePoolWithTag+389 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntoskrnx IMAGE_NAME: ntoskrnx.exe DEBUG_FLR_IMAGE_TIMESTAMP: 6134229e IMAGE_VERSION: 5.1.2600.16384 STACK_COMMAND: .cxr 0xffffffffb84c7150 ; kb FAILURE_BUCKET_ID: 0x7E_ntoskrnx!ExAllocatePoolWithTag+389 BUCKET_ID: 0x7E_ntoskrnx!ExAllocatePoolWithTag+389 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7e_ntoskrnx!exallocatepoolwithtag+389 FAILURE_ID_HASH: {a448a1a7-43f8-ac55-b1fd-a5ed200a631a} Followup: MachineOwner --------- 11: kd> lm start end module name 80100000 8012a000 KDSTUB (deferred) 80289000 80299a80 pci (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d00 hal (deferred) 80706000 8072e000 kdcom (deferred) b7616000 b762fe80 Mup (deferred) b7630000 b766f000 NETIO (export symbols) NETIO.SYS b766f000 b7699000 msrpc (deferred) b7699000 b7751000 NDIS (deferred) b7751000 b77ddd00 Ntfs (deferred) b77de000 b783b000 UsbHub3 (deferred) b783b000 b7880000 USBXHCI (deferred) b7880000 b7896b80 KSecDD (deferred) b7897000 b78a8f00 sr (deferred) b78a9000 b78c8b00 fltMgr (deferred) b78c9000 b78e0880 SCSIPORT (deferred) b78e1000 b792a000 storport (deferred) b792a000 b794db80 ntoskrn8 (export symbols) ntoskrn8.sys b794e000 b7b25e80 ntoskrnx (export symbols) ntoskrnx.exe b7b26000 b7b39000 storahci (deferred) b7b39000 b7b50900 atapi (deferred) b7b51000 b7e06000 iaStor (deferred) b7e06000 b7e2ba00 dmio (deferred) b7e2c000 b7e4ad80 ftdisk (deferred) b7e4b000 b7e7a000 ucx01000 (deferred) b7e7a000 b7ea9d80 ACPI (deferred) b7eaa000 b7f2c000 WDF01_W8 (deferred) b7f2c000 b7f4b000 asmthub3 (deferred) b7f4b000 b7fa7000 asmtxhci (deferred) b80a8000 b80b6000 WDFLDR8 (deferred) b80b8000 b80c1300 isapnp (deferred) b80c8000 b80d2000 WppRecorder (deferred) b80d8000 b80e2580 MountMgr (deferred) b80e8000 b80f5200 VolSnap (deferred) b80f8000 b8106000 stornvme (deferred) b8108000 b8118000 asahci32 (deferred) b8118000 b8120e00 disk (deferred) b8128000 b8134180 CLASSPNP (deferred) b8138000 b8141000 USBD_W8 (deferred) b8148000 b8157100 ohci1394 (deferred) b8158000 b8165080 1394BUS (deferred) b8328000 b832e780 USBSTOR (deferred) b8330000 b8336180 PCIIDEX (deferred) b8338000 b833cd00 PartMgr (deferred) b8340000 b8344c00 storpor8 (deferred) b84b8000 b84bb000 BOOTVID (deferred) b84bc000 b84bef80 ACPIEC (deferred) b85a8000 b85a9100 WMILIB (deferred) b85aa000 b85ab500 USBD (deferred) b85ac000 b85ad700 dmload (deferred) b8670000 b8670d00 pciide (deferred) b8671000 b8671d80 OPRGHDLR (deferred)
Damnation Posted May 3, 2022 Author Posted May 3, 2022 @Dietmar @George King I'm not sure how to implement the KiSystemService function for all the ZwAlpc functions that msrpc.sys depends on. KiSystemService depends on alot of functions and is very large~
Dietmar Posted May 3, 2022 Posted May 3, 2022 @Mov AX, 0xDEAD Can you help us? May be not much missed Dietmar
George King Posted May 3, 2022 Posted May 3, 2022 @Dietmar have you tried it with patched netio without msrpc needs?
Damnation Posted May 3, 2022 Author Posted May 3, 2022 (edited) @Dietmar I think I might have found a way to implement it, TBD~ edit: even using precompiled trap.obj I can't resolve missing externals. Edited May 4, 2022 by Damnation
George King Posted May 7, 2022 Posted May 7, 2022 (edited) @Damnation Can you please try to get pseudo code for IoSynchronousCallDriver from Windows 8.0 ntoskrnl.exe? I have already added it as "return success" so now I have no missings imports in Windows 8.0 sdtor.sys build 8056 and only this one function need to be finished to get Generic SD/MMC driver for Windows XP - 7. I have added IoSynchronousCallDriver from Windows 8.0 DDK wdm.h to ntoskrn8.c wdm.h code from Windows 8.0 DDK #if (NTDDI_VERSION >= NTDDI_WIN8) NTKERNELAPI NTSTATUS IoSynchronousCallDriver( _In_ PDEVICE_OBJECT DeviceObject, _In_ PIRP Irp ); #endif Code adaptaion for ntoskrn8.c NTSTATUS IoSynchronousCallDriver_k8 ( PDEVICE_OBJECT DeviceObject, PIRP Irp ) { return STATUS_SUCCESS; } In ntoskrn_redirects.h I have added to section < Win8 x32/x64 Extender this k8_win8( IoSynchronousCallDriver, 8) + I have added mising Windows 7 kernel export With this I can install that driver, but there is still one not installed HDD device that can't be installed on my laptop with Windows 7. Same issue will be on XP too (probably). I think it's related to this newly added import as it currently does nothing. I can't get pseude code in IDA to start working on rewriting that function to readable code. Can you please have a look on it? We are small step from another Generic driver for XP. When we can get this driver to work I can try to install XP in 32bit UEFI on Intel compute stick @Mov AX, 0xDEAD Maybe you have better idea to acheive it? Modded driver for XP is attached Generic Windows8.0 build 8056 SD+MCC driver for Windows XP x86.7z Edited May 7, 2022 by George King
Damnation Posted May 7, 2022 Author Posted May 7, 2022 (edited) @George King here, psuedocode will need reworking to be functional though. NTSTATUS IoSynchronousCallDriver_k8 ( PDEVICE_OBJECT DeviceObject, PIRP Irp ) { unsigned int local_0x18; // [esp-24] unsigned char local_0x14[20]; // [esp-20] unsigned long v1; // eax local_0x18 = (unsigned char)&local_0x18 & 0xFFFFFF00; local_0x14[0] = 0; local_0x18 = 1024; local_0x14[8] = &local_0x18[2]; local_0x14[4] = &local_0x18[2]; *(*(Irp + 96) + 4294967292) = &local_0x18; *(*(Irp + 96) + 4294967288) = &CmpCompleteFlushAndPurgeIrp; *(*(Irp + 96) + 4294967263) = 224; v1 = IofCallDriver( DeviceObject, Irp ); if( v1 == 259 ) { KeWaitForSingleObject( &local_0x18, 5, 0, 0, 0 ); v1 = *(Irp + 24); } return v1; } Edited May 7, 2022 by Damnation 1
George King Posted May 7, 2022 Posted May 7, 2022 (edited) @Damnation Hmm, OK, I have no idea how to rewrite it. Can you try please? 1>c:\users\administrator\desktop\ntoskrnl_emu-master\ntoskrn8.c(2503) : error C2109: subscript requires array or pointer type 1>c:\users\administrator\desktop\ntoskrnl_emu-master\ntoskrn8.c(2504) : error C2109: subscript requires array or pointer type 1>c:\users\administrator\desktop\ntoskrnl_emu-master\ntoskrn8.c(2505) : error C2676: binary '+' : 'IRP' does not define this operator or a conversion to a type acceptable to the predefined operator 1>c:\users\administrator\desktop\ntoskrnl_emu-master\ntoskrn8.c(2506) : error C2676: binary '+' : 'IRP' does not define this operator or a conversion to a type acceptable to the predefined operator 1>c:\users\administrator\desktop\ntoskrnl_emu-master\ntoskrn8.c(2506) : error C2065: 'CmpCompleteFlushAndPurgeIrp' : undeclared identifier 1>c:\users\administrator\desktop\ntoskrnl_emu-master\ntoskrn8.c(2507) : error C2676: binary '+' : 'IRP' does not define this operator or a conversion to a type acceptable to the predefined operator 1>c:\users\administrator\desktop\ntoskrnl_emu-master\ntoskrn8.c(2510) : error C2664: 'KeWaitForSingleObject' : cannot convert parameter 2 from 'int' to 'KWAIT_REASON' 1>c:\users\administrator\desktop\ntoskrnl_emu-master\ntoskrn8.c(2511) : error C2440: '=' : cannot convert from 'IRP' to 'unsigned long' Edited May 7, 2022 by George King
Damnation Posted May 7, 2022 Author Posted May 7, 2022 @George King I'll try making workable code out of it, no guarantees. If you're willing to put up with 32bit only I can make an exact copy of this function in assembly, if you want?
Damnation Posted May 8, 2022 Author Posted May 8, 2022 (edited) @Dietmar @George King @Mov AX, 0xDEAD I've gotten a KISystemservice implementation building with a precompiled object. I'll upload what I have in a bit, hopefully that'll help with the msrpc.sys BSOD. edit - upload here: https://ufile.io/fbdrjma3 Edited May 8, 2022 by Damnation
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now